cqure.net.20040430.citrixmetaframe

• Previous message: Martin Schulze: "[SECURITY] [DSA 498-1] New libpng packages fix denial of service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 Apr 2004 10:12:43 +0200 (CEST)
To: bugtraq@securityfocus.com

Hi,

The following advisory has been released by cqure.net.
The severity level has been set to low, as in Citrix's advisory
available at;

http://support.citrix.com/kb/entry.jspa?entryID=4289&categoryID=118

The reason for the low severity is the fact that you have to be local
admin on the Citrix server itself to perform the attack.

That said, an attacker attacking for example an ASP could still end up
with admin privileges on a couple of customer domains and local network
access to a few thousands of workstations. Since the access to drives is
tunneled through the clients ICA session a firewall would not block this.
Then again an attacker could probably do a lot worse things as local
admin :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================================
cqure.net Security Vulnerability Report
No: cqure.net.20040430.citrixmetaframe
============================================================

Vulnerability Summary
- -------------------
Severity: Low

Threat: An administrator can access all of the Citrix user's
        client drives

Products:
        MetaFrame XP Presentation Server for Windows 1.0
        MetaFrame 1.8

Platforms: All

Solution: Apply vendor supplied patches

Vulnerability Description
- -----------------------
It is possible for an administrator to mount any client
drive available in any user's Citrix session.

The drive has to be mounted on the client (local or network
drive) but does not need to be mounted inside the Citrix
session. Access to the drives is granted as the user running
the Citrix client.

Solution
- ------
Apply the patches outlined in the Citrix advisory;
http://support.citrix.com/kb/entry.jspa?entryID=4289
&categoryID=118

Additional Information
- --------------------
It should be noted that administrative access to the
Citrix Server is required to achieve this particular attack.
There are of course other approaches to achieving the same end
result even with the patch applied to the system being the
local administrator.

This advisory is available at http://www.cqure.net

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQJIIqk8V4IWk13ufEQI13QCg63MqunM28K7RpaJ82ntcrHQXK7QAn2OI
cqJHSX86VQnG/eKx6t+S5YgC
=aZ8r
-----END PGP SIGNATURE-----

-- 
Patrik Karlsson, patrik@cqure.net
http://www.cqure.net

• Previous message: Martin Schulze: "[SECURITY] [DSA 498-1] New libpng packages fix denial of service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] [NETRAGARD-20061220 SECURITY ADVISORY] [@Mail WebMail Cross Site Scripting ... clickable link back to the original Netragard advisory as the contents ... Netragard is a unique I.T. Security company whose services are ... product of research done by the Strategic Reconnaissance Team. ... An attacker can use this knowledge to attack @Mail users. ... (Full-Disclosure) Re: [AP] awhttpd v2.2 local DoS ... head programmer of the Anti-Web ... A recent advisory put out by methodic from AngryPacket ... It opens up a format string vulnerability in the code, ... -A local DoS attack that can be carried out if the ... (Bugtraq) SOHO Routefinder 550 VPN, DoS and Buffer Overflow ... This Advisory is copyright by Peter Kruse. ... The usual standard disclaimer applies, ... A user on the LAN side is able to initiate a Denial of Service attack ... Multitech has released new firmware that fixes this issue. ... (Bugtraq) [VulnWatch] SOHO Routefinder 550 VPN, DoS and Buffer Overflow ... This Advisory is copyright by Peter Kruse. ... The usual standard disclaimer applies, ... A user on the LAN side is able to initiate a Denial of Service attack ... Multitech has released new firmware that fixes this issue. ... (VulnWatch)